HIPAA/Privacy: Our Responsibilities. 2 HIPAA Timeline 8/21/96 HIPAA enacted 12/28/00 “Final”...

HIPAA/Privacy: Our Responsibilities

HIPAA Timeline• 8/21/96 HIPAA enacted• 12/28/00 “Final” Privacy Rule published• 7/06/01 Privacy Rule guidance issued • 4/14/02 Privacy Rule effective date (postponed from Feb. 26)• 8/14/02 Amended “Final” Rule published• 12/3/02 Privacy Rule guidance issued • 4/14/03 Privacy Rule compliance date • 2/20/03 Final Security Rule published• 4/20/05 Security Rule compliance date• 2/16/06 Final Enforcement Rule published • 2/17/09 HITECH Act enacted• 4/17/09 Breach Notification guidance issued• 8/24/09 Breach Notification Interim Final Regulation published• 10/29/09 HITECH Act Enforcement Interim Final Rule published• 1/25/13 Final Omnibus Rule published

3 Copyright 2013 Merten/Ali

What is HIPAA?• HIPAA: Health Insurance and Portability and

Accountability Act• Sets the standard for protecting health information• Addresses uses and disclosures of Protected

Health Information (PHI)• As health care providers, we fall under this rule

(Covered Entity)• Balance between using the information to provide

care and protecting privacy of those seeking care


HIPAA Basics• Security Requirements for administrative,

physical, and technical safeguards to assure data integrity, confidentiality and availability

• Privacy Rules

• Goal: Improve the efficiency and effectiveness of electronic information transfers used in the provision, management and financing of health care in the U.S.


Basic Rules• A Covered Entity may not use or disclose

protected health information (PHI), except as otherwise permitted or required– “Use” means any sharing, examination,

employment or application of PHI within a Covered Entity

– “Disclosure” means any transaction, provision of, access to, or divulging of PHI outside a Covered Entity


What is HITECH?• Extends reach of HIPAA Privacy and Security Rules• Effective 2/2010 – Applies directly to BAs• Imposes breach notification requirements on Covered

Entities and Business Associates• Limits certain uses and disclosures of PHI• Increases individuals’ rights related to PHI• Increases enforcement and penalties for privacy and

security violations• Significant Harm Standard


The Final Omnibus Rule• Increased liability for Business Associates• Stronger limitations on the use/disclosure of PHI

for marketing and fundraising purposes• Patients have the right to receive electronic

copies of their health information and to restrict disclosures to a health plan concerning treatment when the patient is self pay

• Expansion of patient rights to be amended in Notice of Privacy Practices

• Changes to breach notification rule• Flexibility with a decedent’s PHI


What is PHI?

• 18 Patient Identifiers

• 18 Patient Identifiers•

9Copyright 2013 Merten/Ali

Individually Identifiable Health Information• PHI also includes anything that can be

individually identifiable– Individual’s past, present, future physical or mental

health condition

– Past, present, future payment for the provision of health care

– Anything that can reasonably identify the patient


Now that we know what PHI is…

When can we actually use/disclose PHI??11

Permitted Uses and Disclosures• To the individual• Treatment, Payment, Operations• Opportunity to agree or object

• i.e. Individual is incapacitated, emergency situations• Exercise professional judgment as to the best interest

of the individual• Incidental use/disclosure

• Minimum necessary• Public Interest (e.g., reporting child abuse)• Limited Data Sets for research, public health,

health care operations


Permitted Uses & Disclosures of PHI• Basic rules:

• Must make “good faith” effort to obtain patient’s acknowledgement of Notice of Privacy Practices

• Must obtain Authorization for most other uses and disclosures

• Special rules to use PHI for research


Permitted Uses & Disclosures of PHI• Disclosures permitted without Authorization:

– Public health activities

– Reporting child abuse

– Reporting other abuse, neglect, domestic violence, etc.

– Health oversight activities

– Judicial and administrative proceedings

– Law enforcement purposes

– Otherwise required by law


Permitted Uses & Disclosures of PHI• Disclosures permitted without Authorization

(cont’d):• Decedents - funeral directors, coroners, and medical

examiners• Cadaveric organ, eye, tissue donation• Research - waiver of Authorization approved by IRB or a

Privacy Board• Serious threat to health or safety• Government functions - Armed Forces, national security,

correctional institutions• Workers’ compensation


When Do You Need An Authorization?• Psychotherapy Notes

• Marketing

• Fundraising


Minimum Information Necessary• Covered Entity must reasonably ensure that it

does not request, use or disclose more than the minimum amount of PHI necessary• Generally may not disclose entire medical record,

except to providers for treatment• Develop criteria to limit disclosures• Review requests for disclosures on an individual basis• Use standard protocols for recurring requests• Identify which members of work force require which

items of PHI and limit access accordingly


Exceptions to Minimum Necessary Requirement

• Providers for treatment purposes (disclosure and request, but not use)

• Individual patient request

• Authorization

• Required by law

• HHS for compliance purposes


Disclosures for Use by Another Covered Entity• Covered Entity is permitted to disclose PHI to

a second Covered Entity:– For payment activities of second Covered Entity (in

addition to treatment)– If both have a relationship (current or past) with the

patient, may disclose PHI for certain health care operations (quality assessment and improvement, fraud and abuse detection, developing protocols, case management, evaluating performance, training, accreditation, credentialing, licensing, etc.)


Incidental Uses & Disclosures• Uses and disclosures that are “incidental” to

an otherwise permitted use or disclosure are permissible if the Covered Entity has:– Complied with the minimum necessary standard

and

– Adopted reasonable administrative, technical and physical safeguards


Incidental Uses & Disclosures• An incidental use or disclosure is a secondary use

or disclosure that • Cannot reasonably be prevented, • Is limited in nature and• Occurs as a by-product of an otherwise permitted use or disclosure

• The following incidental uses and disclosures (assuming Covered Entity otherwise complies with Privacy Rule) would be permitted:

• Confidential communication between providers is overheard by an unauthorized person

• Discussion of lab results with a patient or other provider in a joint treatment room

• Oral coordination of services at a hospital nursing station


Incidental Uses & Disclosures• Permissible incidental uses or disclosures do

not include:• Uses or disclosures that result from a failure to

apply reasonable safeguards or the minimum necessary standard

• For example, using a waiting room sign-in sheet to obtain a patient’s health history

• Errors that result from mistake or neglect• For example, posting a patient’s PHI erroneously on

provider’s website or sending PHI to the wrong person by e-mail


Common HIPAA Issues• Access of protected health information (PHI)

for purposes other than treatment, payment or operations

• Inappropriate sharing of PHI

• Accidental disclosures

• Social Media


Misdirected Faxes• Carefully check the fax number to make sure you have the correct number for the intended

recipient. When you manually enter the number, check to see that it has been entered correctly before sending.

• Confirm the fax number with the intended recipient when faxing to this party for the first time or if the fax number is not regularly used.

• Program regularly used numbers into fax machines. Check to make sure you are selecting the preprogrammed number for the correct party before sending.

• Update fax numbers promptly upon receipt of notification of correction or change. Have procedures for deleting outdated or unused numbers which are preprogrammed into the fax machine.

• Locate fax machines in areas where access can be monitored and controlled and avoid leaving patient information on fax machines after sending.

• Have policies and procedures in place to safeguard PHI that is faxed, including processes to act promptly on (1) changes in fax numbers to ensure corrections are made in all the relevant records; and (2) reports of a misdirected fax to identify the cause and take steps to prevent future incidents, including revising the organization’s policies and procedures.

• Train staff on the policies and procedures for the proper use of fax machines that your organization has put into place to safeguard PHI during faxing. Update the training periodically and be sure to train new staff.

OCR Recommended Checklist


Common Misconceptions• Misdirected faxes from one corporate site to

another is NOT a breach– Remember Treatment, Payment, Operations

• Privacy Office should be notified of any potential breaches– Determine risk and level of harm


Patient Rights and HIPAA

Notice of Privacy Practices• Individual has a right to adequate notice of the uses

and disclosures of PHI• Notice should describe individual’s rights and the

covered entity’s legal duties with respect to PHI• The covered entity must provide a notice that is written

in plain language and that contains the following elements:• Uses and disclosures• Statements for certain uses or disclosures• Individual rights• Covered entity’s responsibilities• Complaints, contact information and effective date• State law preemptions


Patient Rights/Requests• Access

• Accounting of disclosures

• Alternate/confidential communications

• Amendment

• Restrictions

• Filing a complaint


Access• An individual has a right of access to inspect and obtain a

copy of PHI about the individual in a designated record set• Except for:

• Psychotherapy notes;• Information compiled in reasonable anticipation of, or for use in, a civil,

criminal, or administrative action or proceeding; and• PHI maintained by a covered entity that is:

• Subject to the Clinical Laboratory Improvements Amendments of 1988

• A covered entity may deny an individual access without providing the individual an opportunity for review, in the following circumstances• A covered entity that is a correctional institution or a covered

health care provider acting under the direction of the correctional institution

• An individual’s access to PHI created or obtained by a covered health care provider in the course of research that includes treatment


Access• Timely response

• The covered entity must respond to a request for access no later than 30 days after receipt

• If the request for access is for PHI that is not maintained or accessible to the covered entity on-site, the covered entity may request an extension by no later than 60 days from the receipt of such a request

• The covered entity may impose a reasonable, cost-based fee, provided that the fee includes only the cost of:• Copying, including the cost of supplies and labor of copying, whether in

paper or electronic form;• Supplies for creating the paper copy or electronic media if the individual

requests that the electronic copy be provided on portable media• Postage, when the individual has requested the copy, or the summary or

explanation, be mailed• Preparing an explanation or summary of the PHI, if agreed to by the

individual• Source: §164.524


Accounting of Disclosures• An individual has a right to receive an accounting of

disclosures of PHI made by a covered entity in the six years prior to the date on which the accounting is requested, except for disclosures:• To carry out treatment, payment and health care operations • To individuals of PHI about themselves • Incident to a use or disclosure otherwise permitted or required• Pursuant to an authorization• For the facility’s directory or to persons involved in the individual’s

care• For national security or intelligence purposes• To correctional institutions• As part of a limited data set• That occurred prior to the compliance date for the covered entity


Accounting of Disclosures• Timely response

• The covered entity must act on the individual’s request for an accounting, no later than 60 days after receipt of such a request• If the covered entity is unable to provide the accounting within the time

required, the covered entity may extend the time to provide the accounting by no more than 30 days

• Fees• The covered entity must provide the first accounting to an

individual in any 12 month period without charge• Suspension of an accounting

• The covered entity must temporarily suspend an individual’s right to receive an accounting of disclosures to a health oversight agency or law enforcement official, if the agency or official provides a written statement that such an accounting to the individual would be reasonably likely to impede the agency's activities


Accounting of Disclosures• The covered entity must provide the individual

with a written accounting that meets the following requirements:• The date of the disclosure• The name of the entity or person who received the PHI

and, if known, the address of such entity or person• A brief description of the PHI disclosed; and• A brief statement of the purpose of the disclosure that

reasonably informs the individual of the basis for the disclosure or

• Source: §164.528


Alternate/Confidential Communications• A covered health care provider must permit

individuals to request and must accommodate reasonable requests by individuals to receive communications of PHI from the covered health care provider by alternative means or at alternative locations

• A covered entity may require the individual to make a request in writing

• A covered health care provider may not require an explanation from the individual

• Source: §164.522(b)


Amendment• An individual has the right to have a covered entity amend PHI or

a record about the individual in a designated record set • A covered entity may deny an individual’s request for amendment,

if it determines that the PHI:• Was not created by the covered entity• Is not part of the designated record set• Would not be available for inspection • Is accurate and complete

• Timely response• The covered entity may require individuals to make requests for

amendment in writing• The covered entity must act on the individual’s request for an amendment

no later than 60 days after receipt• If the covered entity is unable to act on the amendment within the time,

the covered entity may extend the time for such action by no more than 30 days

• Source: §164.526


Restrictions• Existing Restriction requirements:

• A covered entity must permit an individual to request that the covered entity restrict:• Uses or disclosures of PHI about the individual to carry out treatment, payment, or health

care operations; and• Uses and disclosures for involvement in the individual’s care and notification purposes

• A covered entity is not required to agree to a restriction• A covered entity that agrees to a restriction may not use or disclose PHI in violation of

such restriction • If restricted PHI is disclosed to a health care provider for emergency treatment

• HITECH Restriction amendments:• A covered entity must agree to the request of an individual to restrict

disclosure of PHI about the individual to a health plan if:• The disclosure is for the purpose of carrying out payment or health care operations and is

not otherwise required by law; and• The PHI pertains solely to a health care item or service for which the individual, or person

other than the health plan on behalf of the individual, has paid the covered entity in full

• Source: §164.522(a)


Filing a Complaint• A covered entity must provide a process for individuals to make

complaints concerning the covered entity's policies and procedures• Methodologies

• Facilities• Website• Privacy Office• Toll free number

• A covered entity must document all complaints received, and their disposition, if any

• A covered entity must refrain from intimidating or retaliatory acts against any individual for:• Filing of a complaint with the covered entity• Filing of a complaint with the Secretary of the DHHS

• Source: §164.530(g)


Uses & Disclosures Requiring Opportunity for Individual to Agree or Object

• “Opt-in; Opt-out”• Facility directories

• Name, location in facility, general condition, religious affiliation

• Emergency exception• Family members or others involved with the

individual’s care or treatment• If individual is present: inferences permitted• If individual is not present: professional judgment

as to best interest of patient


Contemporary Challenges

• Laptops

• Smartphones

• Email

• Texting41

New & Emerging Technologies• Social media

• A social networking website focuses on building online communities of people who usually share interests and/or activities• Confidential/sensitive patient information

• Cloud• Cloud computing is Internet-based computing, whereby shared

resources, software, and information are provided to computers and other devices on demand, like the electricity grid• Public, private, hybrid

• Bring your own device (BYOD)• Refers to employees who bring their own computing devices, such as

smartphones, laptops or tablets, to the workplace for use and connectivity on the corporate network• Segregation of data (personal vs. work)

• Texting


Now that we know what PHI is…What can we do to protect PHI??

43

What is the Employee’s Role?• Protect Patient Privacy

• Double check files• Compare patient identifiers• Minimum necessary• Use low voices in hallways and reception area

• Protect Patient Rights• NPPs, Restrictions, Disclosures, Access, Communications• Social Media Awareness

• HIPAA Awareness• Use resources

• Make good faith efforts• Obtain authorizations• Notify manager


What is the Role of the Privacy Office?• To determine if breach exists and if there is

significant harm

• To answer your questions

• To educate/train associates

• Create awareness


Elements of a Program – Best Practices

Seven Elements of an Effective Compliance Program

HIPAA Privacy Program

Establish policies, procedures and controls Policies, procedures and governance

Exercise effective oversight Privacy Official/Office designation

Exercise due diligence to avoid delegation of authority to unethical individuals

Complaint processing

Communicate and educate employees on the program

Training and education

Ensure consistent enforcement and discipline of violations

Sanctions

Monitor and audit compliance and effectiveness

Internal audit and accounting of disclosures

Respond appropriately to incidents and take steps to prevent future incidents

Mitigation


Enforcement & Investigations• The Office for Civil Rights (“OCR”)

• Oversees enforcement of the HIPAA privacy and security rules• Tier threshold and fines were changed pursuant to HITECH• Fines can be assessed on a daily basis until the violation is mitigated• Each complaint received from OCR must be thoroughly investigated• The covered entity is required to self report “breaches”• OCR has stated that they will automatically investigate breaches that

involve over 500 individuals• State Attorneys General

• HITECH addresses the ability of State Attorneys General to investigate HIPAA violations

• The attorney general of the State may bring a civil action on behalf of residents of the State where there is reason to believe that one or more of the residents of that State has been or is threatened or adversely affected by a violation


HHS/OCR Enforcement Data• From the HHS website, the top four issues in

investigated cases closed with corrective action between 2004 – 2010 are:• Impermissible Uses & Disclosures

• Safeguards

• Access

• Minimum Necessary


Best Practices – OCR Audits• HITECH requires HHS to conduct periodic audits

to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards

• Audit Protocol Program• OCR HIPAA Audit program analyzes processes,

controls, and policies of covered entities • The protocol serves as a “best practices” for every

covered entity and business associate• http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/proto

col.html


http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html

http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html

HIPAA/Privacy: Our Responsibilities. 2 HIPAA Timeline 8/21/96 HIPAA enacted 12/28/00 “Final”...

Documents

Transcript of HIPAA/Privacy: Our Responsibilities. 2 HIPAA Timeline 8/21/96 HIPAA enacted 12/28/00 “Final”...